XRAY-138689 - Add Poetry support for jf ca by Phavya-jfrog · Pull Request #768 · jfrog/jfrog-cli-security

Phavya-jfrog · 2026-05-27T14:53:14Z

The pull request is targeting the dev branch.
The code has been validated to compile successfully by running go vet ./....
The code has been formatted properly using go fmt ./....
All static analysis checks passed.
All tests have passed. If this feature is not already covered by the tests, new tests have been added.
Updated the Contributing page / ReadMe page / CI Workflow files if needed.
All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

Previously jf ca had no Poetry support — running it on a Poetry project either fell back to the pip code path or produced incomplete results. This PR adds full Poetry (1.x and 2.x) support.

What changed:

Curation install via Artifactory — points Poetry's source at the api/curation/audit// endpoint and runs poetry lock against a temporary copy of the project, so all resolution routes through curation and 403 responses surface blocked packages. The user's pyproject.toml and poetry.lock are never modified. The original source name is preserved in the temp copy so existing poetry.lock entries stay valid.

Smart lock handling — checks whether poetry.lock is missing, stale, or up-to-date before changing the source URL (Poetry 1.x stores the URL in the lock and would otherwise always look stale). Generates, refreshes, or skips the lock accordingly, with automatic fallbacks for both Poetry 1.x and 2.x flag differences.

Blocked package table from poetry.lock — parses both v1 and v2 lock layouts and probes Artifactory for each package so blocked ones show up in the same table users already see for npm/pip.

CVS-blocked detection for Poetry — Poetry reports CVS-hidden versions as "doesn't match any versions" instead of a 403; that pattern is now picked up and rendered as a blocked package.

Graceful 403 handling — Poetry-emitted 403s now render the standard curation-blocked message instead of raw Poetry output.

Minimum Poetry version — 1.2.0 required for curation, with a clear error otherwise.

Testing done is documented here https://jfrog-int.atlassian.net/browse/XRAY-141531

…o feature/XRAY-138689-add-poetry-support

attiasas

Take a look at my comments. in addition make sure CI and static tests are passing (unless not related to the fix)

github-actions · 2026-06-11T06:44:11Z

🐸 JFrog Frogbot

The implementation was changed to return a blocked PackageStatus (with BlockingReasonUnknown) instead of an error when a 403 response body cannot be parsed. The test still expected the old error-returning behavior, causing all-platform unit test failures in CI. Also simplify string formatting in setCurationSourceInPyproject.

Phavya-jfrog requested a deployment to frogbot May 27, 2026 14:53 — with GitHub Actions Waiting

Phavya-jfrog force-pushed the feature/XRAY-138689-add-poetry-support branch from 963c301 to 6fb0884 Compare May 27, 2026 14:56

Phavya-jfrog requested a deployment to frogbot May 27, 2026 14:56 — with GitHub Actions Waiting

Phavya-jfrog changed the title ~~Feature/xray 138689 add poetry support for jf ca~~ XRAY-138689 - Add Poetry support for jf ca May 28, 2026

XRAY-138689 - Add Poetry support for jf ca

4e010d2

Phavya-jfrog force-pushed the feature/XRAY-138689-add-poetry-support branch from 6fb0884 to 4e010d2 Compare May 28, 2026 13:00

Phavya-jfrog requested a deployment to frogbot May 28, 2026 13:00 — with GitHub Actions Waiting

Review changes fix

90827e9

Phavya-jfrog requested a deployment to frogbot May 28, 2026 16:55 — with GitHub Actions Waiting